MariaDB Open source fork of MySQL database
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any MariaDB product.
RSS Feeds for MariaDB security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in MariaDB products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by MariaDB Sorted by Most Security Vulnerabilities since 2018
By the Year
In 2025 there have been 0 vulnerabilities in MariaDB. Last year, in 2024 MariaDB had 3 security vulnerabilities published. Right now, MariaDB is on track to have less security vulnerabilities in 2025 than it did last year.
Year | Vulnerabilities | Average Score |
---|---|---|
2025 | 0 | 0.00 |
2024 | 3 | 0.00 |
2023 | 4 | 6.35 |
2022 | 60 | 6.83 |
2021 | 15 | 5.43 |
2020 | 16 | 5.82 |
2019 | 16 | 5.48 |
2018 | 40 | 5.58 |
It may take a day or so for new MariaDB vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent MariaDB Security Vulnerabilities
Insecure permissions in the sys_exec function of MariaDB v10.5
CVE-2023-39593
- October 17, 2024
Insecure permissions in the sys_exec function of MariaDB v10.5 allows authenticated attackers to execute arbitrary commands with elevated privileges. NOTE: this is disputed by the MariaDB Foundation because no privilege boundary is crossed.
An issue in MariaDB v.11.1 allows a remote attacker to execute arbitrary code via the lib_mysqludf_sys.so function
CVE-2024-27766
- October 17, 2024
An issue in MariaDB v.11.1 allows a remote attacker to execute arbitrary code via the lib_mysqludf_sys.so function. NOTE: this is disputed by the MariaDB Foundation because no privilege boundary is crossed.
MariaDB v10.5 was discovered to contain a remote code execution (RCE) vulnerability
CVE-2023-26785
- October 17, 2024
MariaDB v10.5 was discovered to contain a remote code execution (RCE) vulnerability via UDF Code in a Shared Object File, followed by a "create function" statement. NOTE: this is disputed by the MariaDB Foundation because no privilege boundary is crossed.
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB)
CVE-2023-22084
4.9 - Medium
- October 17, 2023
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.43 and prior, 8.0.34 and prior and 8.1.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
A vulnerability was found in MariaDB
CVE-2023-5157
7.5 - High
- September 27, 2023
A vulnerability was found in MariaDB. An OpenVAS port scan on ports 3306 and 4567 allows a malicious remote client to cause a denial of service.
An issue was discovered in MariaDB MaxScale before 23.02.3
CVE-2023-40354
6.5 - Medium
- August 14, 2023
An issue was discovered in MariaDB MaxScale before 23.02.3. A user enters an encrypted password on a "maxctrl create service" command line, but this password is then stored in cleartext in the resulting .cnf file under /var/lib/maxscale/maxscale.cnf.d. The fixed versions are 2.5.28, 6.4.9, 22.08.8, and 23.02.3.
Cleartext Storage of Sensitive Information
MariaDB Server before 10.3.34 thru 10.9.3 is vulnerable to Denial of Service
CVE-2022-47015
6.5 - Medium
- January 20, 2023
MariaDB Server before 10.3.34 thru 10.9.3 is vulnerable to Denial of Service. It is possible for function spider_db_mbase::print_warnings to dereference a null pointer.
NULL Pointer Dereference
Vulnerability in the MySQL Server product of Oracle MySQL (component: C API)
CVE-2022-21595
4.4 - Medium
- October 18, 2022
Vulnerability in the MySQL Server product of Oracle MySQL (component: C API). Supported versions that are affected are 5.7.36 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).
In MariaDB before 10.9.2, compress_write in extra/mariabackup/ds_compress.cc does not release data_mutex upon a stream write failure, which
CVE-2022-38791
5.5 - Medium
- August 27, 2022
In MariaDB before 10.9.2, compress_write in extra/mariabackup/ds_compress.cc does not release data_mutex upon a stream write failure, which allows local users to trigger a deadlock.
Improper Locking